WinRAR is a very popular software to create and extract archives on Windows and other supported operating systems. Part of its popularity comes from its support for different types of packing formats, another that the software's trial version never expires.
A bug was discovered recently that affects all versions of WinRAR prior to 5.70. The bug, a remote code execution vulnerability, affects all WinRAR versions and thus all 500 million users that use the application.
Security researchers discovered a flaw in a library that WinRAR uses to extract files from archives packed with the ACE format.
Attackers can exploit the vulnerability by pushing specially prepared archives to user systems. The bug can be abused to extract the files into any folder on the system instead of the folder selected by the user or the default folder for extracted files.
Tip: Find out how to repair and extract broken WinRAR archives.
Attackers could select to extract files to Windows' startup folder so that programs are executed on the next start of the system.
The researchers published a video that demonstrates the exploit.
WinRAR uses the content of the file to determine the archive format that was used to compress the files; means, it is not enough to avoid any ACE files for the time being. Attackers could rename ACE files to RAR or ZIP, and WinRAR would handle them just fine.
The library that is responsible for the behavior is UNACEV2.DLL. The maker of WinRAR removed the file from the latest Beta version of WinRAR 5.70. Users can upgrade to the Beta version to protect their devices from the security issue.
Policies may prevent the installation of Beta software on devices, and some Home users might not want to install Beta software either on their computer systems.
These users and administrators may delete the vulnerable file, UNACEV2.DLL from the WinRAR directory to protect the device from the issue. Here is how that is done:
Note: This removes the option to extract ACE files using WinRAR.
I could not find information on the popularity of the ACE format. I remember that it was quite popular (and controversial) more than a decade ago.
Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.
We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats or subscription fees.
If you like our content, and would like to help, please consider making a contribution:
Ghacks is a technology news blog that was founded in 2005 by Martin Brinkmann. It has since then become one of the most popular tech news sites on the Internet with five authors and regular contributions from freelance writers.